Руководство Пользователя для ZyXEL 35

 

 

All contents copyright (c) 2006 ZyXEL Communications Corporation.   

297

The above figure indicates the "triangle route" topology. It works fine if you turn off firewall function on 

ZyWALL box. However, if you turn on firewall, your connection will be blocked by firewall because of 

the following reason.  

Step 1.

     

Being the default gateway of PC, ZyWALL will receive all "outgoing" traffic from PC. 

Step 2.

     

And because of Static route/Traffic Redirect/Policy Routing, ZyWALL forwards the traffic to 

another gateway (ISDN/Router) which is in the same segment as ZyWALL's LAN. 

Step 3.

     

However the return traffic won't go back to ZyWALL, in stead, the "another gateway 

(ISDN/Router)" will send back the traffic to PC directly. Because the gateway (say, P201) and 

the PC are in the same segment.  

When firewall is turned on, ZyWALL will check the outgoing traffic by ACL and create dynamic sessions 

to allow return traffic to go back. To achieve Anti-DoS, ZyWALL will send RST packets to the PC and 

the peer since it never receives the TCP SYN/ACK packet. Thus the connection will always be reset by 

ZyWALL.  

 

[Solutions] 

(A) Deploying your second gateway in IP alias segment is a better solution. In this way, your connection 

can be always under control of firewall. And thus there won't be Triangle Route problem. 

 

(B) Deploying your second gateway on WAN side.